ICA-Admin - only named Administrators (System level security, Administrative roles) can login, RIGHT

Search: Users from Domino-LDAP can login, wrong password or cn --> no login, right message on the screen

Next: we configured a secure collection with secure search in Win-FS and in some domino databases.
We have to manage "My profile" - and: Secure search works fine, different matches for different users.
But it requires a login on the domino server if we want to see a match in ICA on his domino-source.
From the LTPA-view, generated in WAS, this domino-server is member of the WAS-LTPA-Token-domain (we've imported the same LTPA-key into the web-SSO docuemnt).

Next step in ICA-Admin: SSO, Configure application login settings again

check Use LTPA tokens for single sign-on (SSO)

cookie domain ".ebusiness.local"

check LTPA interoperability mode (...later try: same result if I uncheck this)

LTPA key: get the file LTPAToken.key from the WAS-server and stored local, validate password O.K.

Now I'm logged in as a search user. If I want to type something in the search line, I get the Windows security window "The server kaw8ica1.ebusiness.local at EnterpriseSearchRealm requires a username and password". If I type username an password (and check "remember my credentials"), then it works fine, in the search.
But: we don't have a SSO with the domino-server, I have to login to the domino-server too.

Get following cookies (read in Firefox)
--> delete all cookies
--> open the search

1. Name: LtpaToken2, content: (long string), domain: .ebusiness.local, path: / sent for: every connection type, valid: to the end of the session
2. Name: LtpaToken, content: other (long string); domain, path, sent for and valid: same as LtpaToken2
Wondering that we don't get a LTPA-token for the domain .ebusiness.local from the ICA-Server, we get it from the domino server.
I've mentioned, that the Realm name in the WAS-LTPAToken is "defaultWIMFileBasedREalm", it's federated against the same domino server and some local users on the WAS.

So I added the following entries in the LTPA tokens - SSO-section (security - ICA-Admin)
Additional domain: defaultWIMFileBasedRealm
Additional user name suffix: defaultWIMFileBasedRealm
---> both entries or only one of them --> 3 try --> same result, nothing has changed

Investigation of the string "EnterpriseSearchRealm" in all files of the ES-NODE- and ES-ROOT-directory had 158 files matched ...

Re: Jetty - SSO

My name is Thai Tran and I work for ICA team. Let me try to provide you with the SSO's issue. The short anwser is yes. You can import the LTPA key in a jetty application system for SSO. Below are the neccesary steps to configure SSO with LTPA key for ICA:

1. Assuming that you have the LTPA key generated from Websphere and imported to Domino server. At this point,assuming SSO is working between WAS and Domino.

2. Configure LDAP for ICA. I assume that the same LDAP is using for Domino, WAS and ICA. Ideally, I would use Domino server as LDAP for both WAS and ICA.

3. Generate LTPA key store: Go to Security > Configure Security Application Settings:
- Check "Use LTPA tokens for application single sign-on"
- Fill in "Cookie Domain name" info (Make sure you put a period in front ex: .ibm.com)
- Make sure "LTPA interoperability mode" is checked
- Click on "Generate Key" button to create LTPA store. You will be prompt to enter password. Enter password. Make sure that esltpa.jceks is created under <es_NodeRoot>/master_config. You may need to click this button a few times

4. Import the LTPA key(generated from WAS earlier): Go to security > Configure Security Application Settings:
- Make sure the Cookie Domain name is filled in (ex: .ibm.com)
- Make sure "LTPA interoperability mode" is checked
- Fill in "Additional Domain Name" info. That should be the realm name in your WebSphere server setting (ex: defaultWIMFileBasedRealm)
- Type in the path of the key (ex: c:\ltpa.key) and password when prompt.
- You should see "The specified LTPA token was succefully imported" check.

You should check to ensure that real name is the same among all servers and LTPA interoperability mode is enabled for all servers also. I hope these steps will solve the issues. Let me know if you have any problems.

Re: Jetty - SSO

Hi Thai,
thanks, that was the solution.
My missunderstood was the step 3: I did not generate the key store, cause I thought "I have the import", not a new one ("generate").
Now it's clear
1. Generate the key store
2. Import the LTPA Token.
Now it works fine: Jetty with SSO with an LTPA-Token from a WAS.